UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Similar documents
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Cyber Security Program

Standard for Security of Information Technology Resources

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Number: USF System Emergency Management Responsible Office: Administrative Services

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Subject: University Information Technology Resource Security Policy: OUTDATED

Employee Security Awareness Training Program

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Information Security Data Classification Procedure

Virginia Commonwealth University School of Medicine Information Security Standard

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

01.0 Policy Responsibilities and Oversight

Information Security Incident Response and Reporting

Security Awareness, Training, And Education Plan

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

DIRECTIVE ON RECORDS AND INFORMATION MANAGEMENT (RIM) January 12, 2018

UTAH VALLEY UNIVERSITY Policies and Procedures

Checklist: Credit Union Information Security and Privacy Policies

Acceptable Use Policy

Responsible Officer Approved by

Bring Your Own Device Policy

Juniper Vendor Security Requirements

Data Governance Framework

DETAILED POLICY STATEMENT

DATA STEWARDSHIP STANDARDS

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Security Policy

BFB-IS-3: Electronic Information Security

Minimum Security Standards for Networked Devices

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

University Policies and Procedures ELECTRONIC MAIL POLICY

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

HIPAA Compliance Checklist

SPRING-FORD AREA SCHOOL DISTRICT

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

RMU-IT-SEC-01 Acceptable Use Policy

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Policies & Regulations

The University of British Columbia Board of Governors

Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002

Guidelines for Data Protection

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

Information Security Policy

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Information technology security and system integrity policy.

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

State of Colorado Cyber Security Policies

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

UCL Policy on Electronic Mail ( )

ISE North America Leadership Summit and Awards

A company built on security

Seven Requirements for Successfully Implementing Information Security Policies and Standards

INFORMATION ASSET MANAGEMENT POLICY

ISSP Network Security Plan

Southern Adventist University Information Security Policy. Version 1 Revised Apr

Red Flags/Identity Theft Prevention Policy: Purpose

SECURITY & PRIVACY DOCUMENTATION

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE INTELLIGENCE COMMUNITY POLICY MEMORANDUM NUMBER

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Access to University Data Policy

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

IT Governance Committee Review and Recommendation

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

POLICY 8200 NETWORK SECURITY

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

University of North Texas System Administration Identity Theft Prevention Program

THE CALIFORNIA STATE UNIVERSITY SYSTEM-WIDE INFORMATION SECURITY STANDARDS

Security and Privacy Governance Program Guidelines

Virginia Commonwealth University School of Medicine Information Security Standard

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Putting It All Together:

EA-ISP-009 Use of Computers Policy

GM Information Security Controls

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

II.C.4. Policy: Southeastern Technical College Computer Use

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Data Protection Policy

Oracle Data Cloud ( ODC ) Inbound Security Policies

IAM Security & Privacy Policies Scott Bradner

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Management: A Guide For Harvard Administrators

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Department of Public Health O F S A N F R A N C I S C O

Information Technology General Control Review

Records Retention Policy

Privacy Breach Policy

Institute of Technology, Sligo. Information Security Policy. Version 0.2

CCC Data Management Procedures DCL3 Data Access

Internal Audit Report DATA CENTER LOGICAL SECURITY

Transcription:

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets necessary for the University of Massachusetts Amherst ( UMass Amherst ) to fulfill its missions. To maximize the preservation and protection of these assets, and to manage the risks associated with their maintenance and use, this policy establishes information security governance structure, rules, technical standards, and procedures. By approval of UMass Amherst s Chancellor, this policy exists in conjunction with all other institutional policy. II. Policy Statements Information security is the responsibility of every user of institutional information, research data, and information technology resources. All users who create, access, manage, or manipulate institutional information, research data, or information technology resources must comply with this policy s administrative, technical, and physical safeguards. A. Governance This policy establishes campus information security governance with the creation of roles and responsibilities. Information Security Program Management o Chancellor o Vice Chancellor and Chief Information Officer o Chief Information Security Officer o Vice Chancellors and Deans Information Categorization and Management o Data Stewards 1

o Data Administrators o Data Custodians Information Security Program Implementation o Vice Chancellors and Deans o Department Chairs, Directors, Supervisors, etc. o Security Liaisons o Chief Technology Officer o Service Administrator o Users Additional details regarding the specific roles in these categories are in section IV. B. Information Incident Reporting All users must report incidents involving unauthorized access to institutional information, research data, and information technology resources to the appropriate security liaison or to the UMass Amherst IT Security Team. For more information, visit [insert URL here]. C. Institutional Information and Research Data Categorization Institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk. 1. Specific technical controls adhere to each category. Data Stewards are responsible for the Categorization of institutional information and research data under their purview. Data Custodians are responsible for using the appropriate security controls associated with each data category. For more information regarding the Categorization of institutional information and research data, see: [URL]. For more information regarding the specific technical controls that adhere to each category, see: [URL]. III. To Whom This Policy Applies This policy applies to every user (including, but not limited to, all faculty, students, staff, contractors, visiting researchers, or guests and volunteers) who accesses, manages, or manipulates institutional information, research data, or information technology resources. 1 The standards are adapted from the Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems (FIPS 199) available at http://csrc.nist.gov/publications/fips/fips199/fips-pub-199-final.pdf. 2

IV. Responsible Parties Every person at UMass Amherst has a responsibility to protect institutional information, research data, and information technology resources that they use or are otherwise within their control. These responsibilities vary based on the functional role of the individual. Depending on those functions, some individuals may have more than one role. This section identifies roles and their corresponding responsibilities. For more information and examples, see: [URL] A. Information Security Program Management The following roles have responsibility for University of Massachusetts Amherst information security framework, oversight, and assistance. 1. Chancellor The Chancellor has primary responsibility for campus information security and safety. The Chancellor may delegate authority for information security to the Vice Chancellor for Information Services and Strategy and Chief Information Officer. 2. Vice Chancellor for Information Services and Strategy and Chief Information Officer (CIO) As a delegate of the Chancellor, the Vice Chancellor for Information Services and Strategy and Chief Information Officer, and Chief Information Officer, will provide executive oversight to the University of Massachusetts Amherst Information Security Program. 3. Chief Information Security Officer (CISO) The Chief Information Security Officer is the University official with the authority to harmonize campus information security. The CISO is responsible for the development, implementation, and maintenance of a comprehensive information security program. 4. Vice Chancellors and Deans The Vice Chancellors and Deans are responsible for program management oversight for the security of institutional information, research data, and information technology resources within their areas of purview. 3

B. Information Categorization and Management As noted in Section II C, institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk. Specific technical controls adhere to each category. Data Stewards are responsible for the categorization of institutional information and research data under their purview and the implementation of the specific technical controls that adhere to each category. Data Custodians are responsible for following the rules set by the Data Stewards. For more information see: [URL for Data Steward for Institutional Information and Research Data Guidelines.] 1. Data Stewards Stewards have the highest level of responsibility for overseeing the categorization of institutional information and research data, and administering the privacy, security, and regulatory compliance of data sets under their purview (e.g., education records, human resources, financial data). In the case of research data, the Principal Investigator acts as the steward in consultation with research staff. 2. Data Administrators Data Administrators are those individuals who are responsible for a particular line of business or who may have special knowledge of and responsibility for the compliance requirements for certain information or data sets. They have responsibility to inform the appropriate Steward(s) of any requirements or considerations that may influence policy, and set procedures, standards, or guidelines consistent with Steward policies. 3. Data Custodians Custodians are any individuals (employees, volunteers, etc.) who access, manage, or manipulate institutional information or research data. Custodians must follow campus policy and stewardship rules for handling of institutional information and research data. C. Information Security Program Implementation 1. Vice Chancellors and Deans In addition to the responsibilities of Vice Chancellors and Deans as noted in Section IV A 4 above, Vice Chancellors and Dean also have responsibility oversight for the implementation of the information security program within their areas of purview. 4

2. Department Chairs, Directors, Supervisors, etc. Individuals who are responsible for a portion of the campus, such as a program, center, or line of business, shall develop, as needed, more restrictive information security controls for better management of risk to the institutional information or research data for which they are responsible. 3. Security Liaisons The unit security liaison is the person or persons designated by the unit head as the primary contact for the CISO. Their primary role is to share information security training in a manner that works for their unit, to be available for incidents, and provide effective communication between the UMass Amherst IT Security Team and the college or division they represent. For more information see: [URL]. 4. Chief Technology Officer (CTO) For central information technology resources, the Chief Technology Officer, in coordination with the CISO, draws up technology architectural outlines, issues standards, and develops uniform templates for use by central IT and the campus community. For more information see: [URL] 5. Service Administrator A Service Administrator (e.g., application administrator, system administrator, or network administrator) is the individual with principal responsibility for the installation, configuration, and ongoing maintenance of an information technology system. 6. Users In accordance with this policy, users must be aware of the value of information. They must protect information reasonably. Users must therefore follow the requirements for: o Information technology resources; o Institutional information; and o Research data Supervisors may, at their discretion, create specific forms outlining the duties of their direct reports under this policy for review, signature, or workplace performance. 5

V. Standards The user of every device connected to the campus network or that stores or transmits institutional information and research data is responsible for adherence to security control standards. IT administrators either in UMass IT or in specific colleges or units may do the actual installation and configuration work, but it remains the responsibility of the user of that device to have those controls installed, configured and up to date (even if that simply means that when prompted to keep a computer on for its update, the user will comply with the prompt). Faculty or researchers who do not have or accept IT administration support are still subject to these rules and assume all responsibility for maintaining up to date controls on their devices that store or transmit institutional information and research data. This rule applies to whether it is an institutionally owned device or personal, and whether it is on the campus network while physically on the campus or from a remote location. A. Technology Standards All information technology resources, regardless of ownership, that contain institutional information or research data must have the following foundational information security controls in place and functioning. Alternative, but equally effective, controls may be substituted in accordance with the exception process. For more information see: https:///securitycontrols. Additional controls may be required based on the categorization of the information or data, the nature of the information technology resource, the applicable regulatory or contractual requirements, or other risk management calculations. For more information see: [URL] 1. Foundational Information Security Controls The five foundational information security controls identified at the time of this policy s publication are referenced below. For additional information, or to see a complete, updated list of foundational information security controls, see https:///securitycontrols a) Patch Management Security patches must be installed, operational and regularly updated on all information technology resources. b) Anti-Malware Anti-malware solutions must be installed, operational and regularly updated for applicable information technology resources. c) Firewall Software to block incoming connections, unless explicitly allowed, must be installed and configured on applicable information technology resources. 6

d) Encryption All institutional information and research data stored on end-user devices must be encrypted. e) Secure Disposal All information technology resources that contain institutional information or research data must be disposed of in an authorized manner. B. Account Standards All users have a responsibility to protect the university accounts under their care. Protection of these accounts may vary according to the risk that they present. Accounts with enhanced privileges may have additional requirements. At a minimum, all accounts must adhere to the following: 1. Credential Sharing Credentials for individual accounts must not be shared. For more information see [URL]. 2. Password Complexity Password-protected accounts that have a password associated with them must adhere to the password complexity requirements as the system allows and as described at: https:///support/accounts/account-password-rules. Credential Re-Use VI. Terms and Definitions Assets: Information technology resources, such as hardware and software and also including institutional information, research data, and intellectual property. Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. Custodians: See Institutional Information and Data Custodians below. Data Categorization: See Institutional Information and Research Data Categorization. Data Custodians: Any individuals (employees, volunteers, etc.) who access, manage, or manipulate institutional information or research data. Custodians must follow campus policy and stewardship rules for handling of institutional information and research data. 7

End-User: Anyone who consumes an information service. For more information see User. End-User Devices: Information Technology system operated by users; e.g. Desktop and Laptop computers, Mobile phones, tablets, etc. Information security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Information Security Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Information Service: A collection of information technology systems through which a user can access, manipulate, or create campus assets. Information Technology (IT) Resources: Anything that generates, stores, processes or transmits electronic information. This includes end-user devices and information technology systems. Information Technology System: A subset of information technology resources that collectively provide an information service to end-user devices. Institutional Information: Any information, regardless of medium, in the furtherance of the campus mission, excluding research data. Institutional Information and Research Data Categorization: The exercise of mapping data to the appropriate security categories as identified in FIPS-199. Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Network: A group of information technology resources and other computing hardware devices that are linked together through communication channels to facilitate communication and resourcesharing among a wide range of users. Research Data: All recorded information, regardless of medium, and all actual samples or examples, that were created or gathered and that could serve to influence or support a research finding or conclusion. Data does not include such items as research papers cited by the researcher, preliminary notes or paper drafts, reviews, or related communications, or items that are already 8

the property of others. This definition is intended to characterize current research norms, not to modify them. Service Security Plan: Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. User: A person who accesses, manages, or manipulates institutional information, research data, or information technology resources. This definition includes, but is not limited to, all faculty, students, staff, contractors, visiting researchers, or guests and volunteers. VII. References 1. Confidentiality of Institutional Information Technology Resources Policy http:///security/conf-policy 2. Acceptable Use of Information Technology Resources Policy http:///security/acceptable-use-policy 3. Records Retention and Disposition Schedules http://www.umass.edu/records/recordretention-and-disposition-schedules 4. Secure Disposal of Information Technology 5. UMASS Amherst IT Security Center http:///security 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback